How to decode encrypted SAML response from idP with PHP?

Question

First time trying to implement SAML as an SP. We decided to try using SimpleSAMLphp with our bespoke MVC framework as we figured it would save us time.

Problem that I have is that I end up in an infinite loop or the attributes are empty.

I have configured my metadata and tested it from the authenticate interface in SimpleSAMLphp. The idP has a post-back URL set that is different to where we begin, so:

• User hits domain.com/sso We create new instance of SimpleSAML_Auth_Simple('our-configured-sp')
• Call $as->requireAuth()
• Client is redirected to idP
• idP redirects user back to domain.com/sso/saml

If we do this, we have to create a new instance using the same code ( $as = new SimpleSAML_Auth_Simple('our-configured-sp') , for example) and when we do $as->getAttributes() it is an empty array. We're using the phpsession store.type but when I look at the cookies on the domain I see only PHPSESSID and SimpleSAMLAuthToken

So we tried putting it all into one method. As above, only you begin on domain.com/sso/saml except this time the loop keeps going over and over. The user hits our domain, is redirected to the idP, then redirected back to us, then back to the idP, for ever.

Eventually I gave up. I can get the response in $_POST['SAMLResponse'] and I can base64_decode() it to see what it says. I put it into a SimpleXMLElement object and was able to work with it. The problem is that the data is encrypted, and now I'm stuck trying to decrypt it.

I have data in these nodes but don't know what to do with it:

• samlp:Response->saml:EncryptedAssertion->EncryptedData->KeyInfo->EncryptedKey->X509Data->X509Certificate
• samlp:Response->saml:EncryptedAssertion->EncryptedData->KeyInfo->EncryptedKey->CipherData->CipherValue
• samlp:Response->saml:EncryptedAssertion->EncryptedData->CipherData->CipherValue

I don't know how to use each of these, though I can verify that the X509Certificate is the public key to match my private key. I've tried decoding various values using different keys (or what I thought were keys) to no avail.

• samlp:Response->saml:EncryptedAssertion->EncryptedData->KeyInfo->EncryptedKey->EncryptionMethod suggests RSA1_5
• samlp:Response->saml:EncryptedAssertion->EncryptedData->EncryptionMethod suggests AES256-CBC (I've been trying mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, "cbc", $iv); though I can't actually work out what I'm supposed to put into $key or $data )

Ideally I'd like to get it working completely within SimpleSAMLphp, but I honestly have no idea what the problem is so I don't know how to sort it. Metadata looks like this:

$metadata = array(
    'https://partner.com' => array(
        'SingleSignOnService' => 'https://partner.com/sso/response',
        'SingleLogoutService' => 'https://partner.com/sso/slo',
        'assertion.encryption' => true,
        'certificate' => partner.cer'
    )
);

Authsources has this:

$config = array(
    'our-configured-sp' => array(
        'saml:SP',
        'privatekey' => 'my.private.pem',
        'certificate' => 'my.public.cert',
        'idp' => 'https://partner.com',
        'baseurlpath' => 'simplesaml/',
    )
);

Any help? Preferably to get the whole thing working with SimpleSAMLphp, but if not I'd take a little guidance on how to decrypt the file.

Thanks everyone

Answer 1

Please check the One Login SAML php library, It is well documented and coded. You can easily use it to processResponse and the getAttributes do what you want.

I know the question is old, But it may help someone still looking for the same.